Hi,

I recently made an image upload script and I plan to enhance it with more features in the near future but first I want to make sure it is secure (or secure as can be). I've read a lot of posts saying some malicious user has taken advantage of their script and what can they do to fix it. I'd rather not have to make a post like that so that's why I'm making this one now - verify all my bases are covered :D

Here's the list of what my security comprises of: (in no specific order)

1) MIME validation - whitelist
2) Header 'Content-Type' validation using GD library
3) File extension validation - whitelist
4) File size validation
5) Stored in DB

Have I missed anything that I should be checking? Any suggestions to further improve security?

Thanks
-fl00d

Sounds like you took pretty good measures. With an image stored in a database you needn't worry about a direct access of the image, just in case its got embedded code in it.

Only thing I can think of that might blotch what you've done is if you didn't properly secure your queries against an injection. I'm betting that with everything else you've done that that isn't a problem though.

The only thing that you could possibly do is open the actual file, and scan the header in to determine the file type as a final precaution (I find sometimes the mime is off). Chances are that won't be a problem.

How would I open the file and scan the header? Using fread or file_get_contents or is there a specific command to do so?

I'm about to go look it up.

If you're interested, I would recommend the use of fread for performance reasons. On top of that, headers work different for different files (some are at the beginning and some at the end). I honestly wouldn't go this far, unless it was an explicit request by a client.
Header information is significantly more difficult to read in a language like php compared to something like C. C is easy since a specific file format has a specific header with specific sized fields. This lets you read data to the exact size of the header and simply stuff it into a structure (kinda like a collection of variables, not quite an object but kinda close). PHP doesn't let you do this, and with its weak datatyping makes it exceptionally difficult to control the forcing of data into the object (compared to C/C++).

Best I know, there is no publically available function in PHP to do this, but I could be mistaken. Somewhere they do some of the work for you when you get the image size information, but limit the information you're given back.

I did a quick check in the website, you may be able to make use of some exif (http://ca3.php.net/manual/en/ref.exif.php) functions. The read data one appears to dump the header out. I believe you need to have an additional module loaded for this to work though.

Like I said, overkill.